Monitoring encrypted network traffic flows in a virtual environment using dynamic session key acquisition techniques

ABSTRACT

A method executed by a dynamic session key acquisition (DSKA) engine residing in a virtual environment includes receiving session decryption information extraction instructions that configure the DSKA engine to obtain session decryption information for at least one communication session involving a virtual machine and obtaining the session decryption information from the virtual machine in accordance with the session decryption information extraction instructions. The session decryption information includes cryptographic keys utilized by an application server instance in the virtual machine to establish the at least one communication session. The session decryption information obtained from the virtual machine is stored and provided to a network traffic monitoring (NTM) agent. The NTM agent utilizes the session decryption information to decrypt copies of encrypted network traffic flows belonging to the at least one communication session involving the virtual machine.

PRIORITY CLAIM

This application is a continuation of U.S. patent application Ser. No.16/113,360, filed Aug. 27, 2018, which claims the benefit of U.S.Provisional Patent Application No. 62/550,558, filed Aug. 25, 2017, thedisclosure of which is incorporated herein by reference in its entirety.

TECHNICAL FIELD

The subject matter described herein relates to passive monitoring ofnetwork traffic communications in a virtual environment. Morespecifically, the subject matter relates to monitoring encrypted networktraffic flows in a virtual environment using dynamic session keyacquisition techniques.

BACKGROUND

The monitoring and processing of secure sockets layer (SSL) traffic is acomputationally expensive task that places a large burden on a virtualnetwork's resources. Many network visibility tools handle SSL traffic(e.g., SSL records communicated via packets) by acting as aMan-In-The-Middle (MITM) entity, thereby decrypting and re-encryptingreceived SSL traffic while extracting a clear-text copy for associatednetwork monitoring tools. In a typical virtual SSL proxy architecture, aclient device or instance is configured to negotiate an encryptedconnection for a secure session (e.g., SSL session) between itself andan SSL proxy instance. Likewise, a destination server instance and theSSL proxy instance subsequently negotiate a second encrypted connectionin order to conduct a secure session between the destination serverinstance and the SSL proxy instance. Since the SSL proxy instance mustdecrypt and re-encrypt all network traffic (e.g., record traffic orpacket traffic) before the traffic can be forwarded to the intendedrecipient, this method (often referred to as active SSL inspection orfull SSL inspection) can introduce severe performance bottlenecks on theprocessing of live network traffic. More specifically, active SSLinspection methods frequently used today involve terminating the SSLconnection at a MITM point, decrypting the encrypted traffic data,creating a copy of clear text data to be sent to the out-of-bandanalysis tool(s), and then re-encrypting the connection prior to sendingthe encrypted network traffic to its intended destination server.

Accordingly, a need exists for methods, systems, and computer readablemedia for monitoring encrypted network traffic flows in a virtualenvironment using dynamic session key acquisition techniques.

SUMMARY

Methods, systems, and computer readable for monitoring encrypted networktraffic flows in a virtual environment using dynamic session keyacquisition techniques are disclosed. According to one method executedby a dynamic session key acquisition (DSKA) engine residing in a virtualenvironment, the method includes receiving session decryptioninformation extraction instructions that configure the DSKA engine toobtain session decryption information for at least one communicationsession involving a virtual machine and obtaining the session decryptioninformation from the virtual machine in accordance with the sessiondecryption information extraction instructions, wherein the sessiondecryption information includes cryptographic keys utilized by anapplication server instance in the virtual machine to establish the atleast one communication session. The method further includes storing thesession decryption information obtained from the virtual machine andproviding the session decryption information to a network trafficmonitoring (NTM) agent, wherein the NTM agent utilizes the sessiondecryption information to decrypt copies of encrypted network trafficflows belonging to the at least one communication session involving thevirtual machine.

The subject matter described herein may be implemented in software incombination with hardware and/or firmware. For example, the subjectmatter described herein may be implemented in software executed by aprocessor. In one exemplary implementation, the subject matter describedherein may be implemented using a non-transitory computer readablemedium having stored therein computer executable instructions that whenexecuted by the processor of a computer control the computer to performsteps. Exemplary non-transitory computer readable media suitable forimplementing the subject matter described herein include non-transitorydevices, such as disk memory devices, chip memory devices, programmablelogic devices, field-programmable gate arrays, and application specificintegrated circuits. In addition, a computer readable medium thatimplements the subject matter described herein may be located on asingle device or computing platform or may be distributed acrossmultiple devices or computing platforms.

As used herein, the term ‘node’ refers to a physical computing platformincluding one or more processors, network interfaces, and memory.

As used herein, each of the terms ‘engine’ and ‘agent’ refers to virtualcomponents that are supported by underlying hardware and software forimplementing the feature(s) being described.

As used herein, the term “packet” refers to a network packet or anyformatted unit of data capable of being transmitted in a computernetwork, such as protocol data unit, a frame, a datagram, a userdatagram protocol packet, a transport control protocol packet, an SSLrecord, a TLS record, or the like.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter described herein will now be explained with referenceto the accompanying drawings of which:

FIG. 1 is a block diagram illustrating a dynamic session key acquisitionsystem that is configured to monitor encrypted network traffic flows ina virtual environment using dynamic session key acquisition techniquesaccording to an embodiment of the subject matter described herein;

FIG. 2 is a block diagram illustrating a decryption session keyacquisition system included in a virtual environment according to anembodiment of the subject matter described herein; and

FIG. 3 is flowchart illustrating a process for monitoring encryptednetwork traffic flows in a virtual environment using dynamic session keyacquisition techniques according to an embodiment of the subject matterdescribed herein.

DETAILED DESCRIPTION

The subject matter described herein relates to methods, systems, andcomputer readable media for monitoring encrypted network traffic flowsin a virtual environment using dynamic session key acquisitiontechniques. In some embodiments, the disclosed subject matter includes adynamic session key acquisition (DSKA) engine that is configured tocommunicate with network traffic monitoring (NTM) agent (e.g., a anSSL-aware network packet broker (NPB) element) and monitorcommunications in a virtual environment. In some examples, the NTM agentmay comprise an extended Berkeley packet filter (eBPF)-based keyacquisition mechanism that is configured to passively obtain SDIinformation without active involvement (e.g., proxy functionality) of anSSL key server instance. Specifically, the DSKA engine may be configuredto detect per-session cryptographic key information session decryptioninformation contained in packets or records communicated between avirtual SSL server instance and a virtual application server instance.Such per-session cryptographic key information (e.g., public and privatepair key information) may be referred to herein as session decryptioninformation (SDI). Alternatively, the DSKA engine may directly obtainsession decryption information from the virtual SSL server instance(e.g., its local key store). Once obtained, the session decryptioninformation may be provided to the NTM agent by the DSKA engine via avirtual tap interface. In some embodiments, the session decryptioninformation associated with SSL sessions monitored by the DSKA system issent via a secure communications tunnel (e.g., an IPsec tunnel) that isestablished between the NTM agent and a virtual tap instance. The NTMagent may then use the session decryption information to inspect copiesof encrypted packets and perform a number of NPB functions, such asfiltering, sampling, de-duplication, and data masking, at a much higherthroughput rate than a network element that implements active SSLdecrypt/encrypt inspection.

In some instances, the disclosed subject matter describes the encryptionand decryption of packets as part of the monitoring of network trafficflows. Although the disclosed subject matter pertains largely to theencryption and decryption of SSL-based datagrams or records (which maybe communicated via one or more packets), it is understood by personsskilled in the art of SSL communications that any description below ofthe encryption and decryption of packets corresponding to a monitorednetwork traffic flow can involve the encryption and decryption ofSSL-based records. In some embodiments, a record is a logical portioningat SSL level (above layer 4) and may span (i.e., be included in partvia) multiple packets.

Embodiments of the disclosed subject matter illustrate exemplarydeployments in the context of SSL communications. It will be appreciatedthat other embodiments of the disclosed subject matter can be deployedin a generally similar manner to provide the monitoring functionality ina transport layer security (TLS)-based or an IPsec-based encryptionenvironment.

Reference will now be made in detail to various embodiments of thesubject matter described herein, examples of which are illustrated inthe accompanying drawings. Wherever possible, the same reference numberswill be used throughout the drawings to refer to the same or like parts.

FIG. 1 depicts a logical block diagram of one exemplary DSKA-basedmonitoring system that is described herein. As shown in FIG. 1, anetwork environment 100 includes at least one client device 102 thathosts a client application 103 (e.g., a web browser application). Clientdevice 102 may comprise a user endpoint device, such as a smartphone,personal computer, laptop computer, Internet of things (IoT) device, orany other device that is configured to host and support clientapplication 103. Alternatively, client device 102 may comprise a clientinstance that runs on a virtual machine hosted within a cloud-computingenvironment.

Network environment 100 may further include a computing platform 104 andan NTM agent 106. Computing platform 104 can comprise a DSKA engine 108that is configured to communicate with virtual machine (VM) 110, whichhosts an application server instance 112 and an SSL server instance 114.For example, each of application server instance 112 and SSL serverinstance 114 may comprise a virtual instance running on a virtualmachine container hosted within a cloud-computing environment. In someembodiments, SSL server instance 114 may provide SSL service support forapplication server instance 112. For example, SSL server instance 114may be configured to establish an SSL communication session with clientdevice 102 in response to application server instance 112 receivingsecure session requests (from client application 103). In someembodiments, the monitored communication session between client device102 and an application server instance 112 may be established using aper-session encryption technique, such as elliptic curve Diffie-Hellmanephemeral (ECDHE). In other embodiments (not shown), the SSL serverinstance 114 and application server instance 112 may constitute the sameentity (i.e., the application server is capable of conducting its ownSSL key generation for a session with client application 103).

In some embodiments, SSL server instance 114 can be configured forcreating, distributing, and storing session decryption information(e.g., ephemeral cryptographic security keys and associated sessionidentification information) for communication sessions traversing amonitored network environment. For example, as used herein, sessiondecryption information may include at least private and publiccryptographic key pair information that is associated with a monitoredsession. In some embodiments, SSL server instance 114 is responsible forgenerating the cryptographic public and private key pairs for amonitored application server instance 112 that is establishing an SSLsession with a requesting client application 103 and/or client device102.

In one exemplary scenario, client application 103 may initiate an SSLsession with application server instance 112. In such a scenario,application server instance 112 may send a message to SSL serverinstance 114 to request that session decryption information (e.g.,public and private key pair data) for the client requested session begenerated and stored by SSL server instance 114. In some embodiments,the generated session decryption information may include ECDHEcryptographic security keys (e.g., public and private key pair data).SSL server instance 114 may maintain a key store (not shown in FIG. 1)that is configured to store data that identifies monitored communicationsessions (e.g., a session involving the application server instance 112)as well as the session decryption information corresponding to themonitored communication session. For example, SSL server instance 114may include a key store database that contains entries that map publickey and private key pairs to one or more monitored session identifiers.Exemplary session identifiers may include a client applicationidentifier, a client device identifier, a monitored applicationidentifier, a monitored application server identifier, a VLANidentifier, or a SSL-based identifier.

In some embodiments, DSKA engine 108 may be configured to the acquiresession decryption information from the SSL server instance 114 that ishosted locally by virtual machine 110. As described in greater detailbelow and in FIG. 2, DSKA engine 108 may be adapted to monitor thecommunication sessions conducted between SSL server instance 114 andapplication server instance 112 and extract session decryptioninformation contained within (e.g., using a hook function).Alternatively, DSKA engine 108 may be configured to obtain the sessiondecryption information, via direct access, from the aforementioned keystore. After obtaining the session decryption information, DSKA engine108 can forward that information to NTM agent 106.

In some embodiments, NTM agent 106 comprises an SSL-aware network packetbroker (NPB) device configured to monitor network traffic flow records(e.g., packets or records communicated between client device 102 andapplication server instance 112) in a passive manner. NTM agent 106 mayalso be configured to maintain a list of sessions that have beendesignated to be monitored. In some embodiments, a network operator mayprovision NTM agent 106 with session identifiers that indicate specificapplications and/or sessions that require monitoring or surveillance.For example, a session list may include a number of entries, whereineach of the entries includes at least one session identifier, such as aclient application identifier, a client device identifier, a monitoredapplication identifier, a monitored application device identifier, aVLAN identifier, and/or an SSL-based identifier (e.g., a publiccryptographic key value). Notably, the session list maintained by NTMagent 106 includes session identifiers that correspond to one or more ofthe session identifiers included in a key store database managed by SSLserver instance 114 (as described below in FIG. 2).

In some embodiments, NTM agent 106 may be configured to receive copiesof encrypted network traffic flows communicated between client device102 and application server instance 112 (or a monitored applicationserver) in computing platform 104. In some embodiments, NTM agent 106may be connected (e.g., via a virtual network interface card as shown inFIG. 2) to one or more virtual tap (or probe) instances in computingplatform 104 that are configured to identify and copy packets/records ofspecified network traffic flows. After identifying an encrypted packetor record associated with a network traffic flow that has beendesignated for monitoring, virtual tap instance 115 is configured tocreate a copy of the packet or record and forward the encrypted copiesto NTM agent 106 via a secure interface connection 122. Similarly, theoriginally received packet or record (from which the copy was made) isforwarded to its intended destination by virtual tap instances 115. Forexample, NTM agent 106 can receive (from virtual tap instance 115)copies of encrypted network traffic flows that are communicated to/fromvirtual machine 110. Further, NTM agent 106 may be configured to inspectthese network traffic flows communicated over sessions that have beendesignated for monitoring. In some embodiments, NTM agent 106 may alsobe provisioned with sufficient storage (or granted access to sufficientnon-local storage) to store the copies of encrypted records and/orpackets of the monitored sessions.

As indicated above, NTM agent 106 is further configured to establish asecure interface connection 122 with computing platform 104. In someembodiments, secure interface connection 122 is established as aseparate and dedicated SSL session or an IPsec tunnel between NTM agent106 and computing platform 104. Once established, secure interfaceconnection 122 may be used by NTM agent 106 to receive sessiondecryption information (e.g., public and private cryptographic key pairinformation) for a session originally requested by client device 102. Insome embodiments, DSKA engine 108 may be configured to distribute thesession decryption information obtained from server instance(s) invirtual machine 110 by automatically forwarding the collected sessiondecryption information (e.g., private and public cryptographic keyinformation and session identification information) to one or moresubscribed/designated NTM agents (e.g., NTM agent 106) at or near thetime when the public and private cryptographic key pairs are created. Aspreviously indicated, DSKA engine 108 is configured to maintain anauthorization list of encryption-aware NTM agents that are authorized orsubscribed to receive session decryption information related to amonitored session. Specifically, NTM agents (e.g., NTM agent 106)included in the authorization list maintained by DSKA engine 108 aredesignated to receive the session decryption information in real-time(e.g., as the session decryption information is generated) or inaccordance with a session decryption information provisioning scheduleestablished by a network operator. For example, DSKA engine 108 mayattempt to provide public and private key pair information to eachsubscribed NTM agent or device via separate secure interface connections(e.g., similar to secure interface connection 122) as soon as the publicand private key information is generated and/or stored by SSL serverinstance 114.

After NTM agent 106 receives the session decryption information fromDSKA engine 108 via virtual tap instance 115 and secure interfaceconnection 122, NTM agent 106 may decrypt the packets and/or records ofthe copied encrypted traffic flow(s). In some embodiments, NTM agent 106may receive a copy of encrypted traffic flow(s) from virtual tapinstance 115. Notably, NTM agent 106 is configured to decrypt the copiesof the obtained encrypted records using the session decryptioninformation received from SSL server instance 114.

NTM agent 106 may then inspect the network traffic flow records and/orpackets decrypted with the session decryption information (i.e., privatekey value) and perform NPB functions (e.g., filtering, sampling,de-duplication, and/or data masking) on the decrypted network trafficflow records and/or packets. For example, after the encrypted networktraffic flow packets and/or records are decrypted by NTM agent 106 usingthe session decryption information provided by DSKA engine 108, thedecrypted packets/records are subsequently processed by one or morepacket broker filtering rules and/or sampling rules provisioned in NTMagent 106. In particular, the rules are used by NTM agent 106 todetermine which packets and/or records are to be forwarded to one ormore out-of-band network tools 116 (e.g., via NPB tool ports). NTM agent106 may also apply processing operations that modify the packets/recordsor the associated network traffic flow (e.g., replication,de-duplication, data masking, etc.) prior to forwarding packets/recordsto the appropriate out-of-band network tools 116 (e.g., via the NPB toolports). Notably, NPB functions performed by NTM agent 106 are conductedat a greater throughput rate as compared to a MITM network element thatimplements active SSL decrypt/encrypt inspection. After assessing anddetermining the proper network tool destinations, NTM agent 106 forwardsthe decrypted session records and/or flow metadata accordingly.

It will be appreciated that FIG. 1 is for illustrative purposes and thatvarious depicted entities, their locations, and/or their functionsdescribed above in relation to FIG. 1 may be changed, altered, added, orremoved without departing from the scope of the disclosed subjectmatter.

FIG. 2 depicts is a block diagram illustrating a dynamic session keyacquisition system existing in a network environment 200 according to anembodiment of the subject matter described herein. As shown in FIG. 2,network environment 200 may comprise a physical computing platform 204that supports a hypervisor 206 and at least one virtual machine 208.Computing platform 204 may also include underlying hardware componentsthat support hypervisor 206 and virtual machine 208. For example,computer platform 204 may include a processor 205, memory 207, diskstorage 209, a network interface card (not shown), and the like.Processor 205 may comprise a central processing unit (CPU), amicrocontroller, or any other physical processing device for executingsoftware instructions stored in memory 207. Memory 207 may comprise anysuitable non-transitory storage medium that resides on a physicalcomputing host device, such as random-access memory (RAM), flash memory,and the like. Disk storage 209 can include any physical storage unitconfigured to storing data on computing platform 204, such as a harddisk drive (HDD) or array, a solid state drive (SSD) or array, aportable flash drive, and the like.

As indicated above, computing platform 204 may include a hypervisor 206and at least one virtual machine 208. Hypervisor 206 may either be aType 1 hypervisor (e.g., a bare metal hypervisor) or a Type 2 hypervisor(e.g., a kernel-based VM hypervisor). In some examples, hypervisor 206is a software program that enables multiple guest operating systems toshare the physical resources of a single hardware host, i.e., computingplatform 204. Notably, hypervisor 206 coordinates the assignment andallocation of hardware resources to establish tenant virtual machines.Further, hypervisor 206 may be responsible for establishing and managingone or machines (e.g., creating, deleting, migrating, restarting, and/orstopping virtual machines). For example, hypervisor 206 may allocateand/or emulate physical resources to establish and support virtualmachine 208. Hypervisor 206 may create virtual machine environments andcoordinate system calls for the processor, memory, hard disk, network,and other physical platform resources directly (e.g., Type 1 hypervisor)or via the computing platform operating system (e.g., Type 2hypervisor). In some examples, hypervisor 206 may be configured toreceive commands from a hypervisor controller (not shown) or some otherentity that instructs hypervisor 206 as to how to manage and/orconfigure virtual machine 208.

Hypervisor 206 may be configured to support a DSKA engine 210 and anassociated virtual network interface card 218. Notably, virtual networkinterface card 218 can be supported by an underlying physical hardwarenetwork interface card (not shown) installed on computing platform 204.In some embodiments, DSKA engine 210 may comprise a packet filterelement (e.g., an enhanced Berkeley packet filter) that is used tomanage the extraction of session decryption information communicatedand/or utilized by server instances supported in virtual machine 208.DSKA engine 210 may also include a local database 224 that is configuredto store session decryption information that the DSKA engine 210 hascollected from virtual machine 208 (e.g., directly from key store 222 orfrom communication session 213). Local database 224 may also be used byDSKA engine 210 to maintain identification records of network trafficmonitoring (NTM) agents that are subscribed to receive sessiondecryption information. For example, DSKA engine 210 may be configuredto maintain a log in database 224 of NTM agents that are configured tomonitor a particular session and provide the session decryptioninformation to the appropriate NTM agents.

Network environment 200 may further include a NTM agent 202. Althoughdepicted in FIG. 2 as a separate network element located in networkenvironment 200, NTM agent 202 may instead be hosted in virtual machine208 or another virtual machine local to computing platform 204.Alternatively, NTM agent 202 may be supported by a separate virtualmachine or application that resides on a different physical computinghost device (not shown).

In some embodiments, DSKA engine 210 may be configured to receivesession decryption information extraction instructions (e.g., from anetwork operator) via a virtual tap instance 216 or NTM agent 202. Insome embodiments, DSKA engine 210 is initially provisioned withinstructions or code by a network operator. For example, the extractioninstructions or code may be delivered to DSKA engine 210 directly fromvirtual tap instance 216 or from NTM agent 202, via a secure connection220, a virtual network interface card 218, and virtual tap instance 216.In such a scenario, virtual tap instance 216 or NTM agent 202 passesinstructions to DSKA engine 210 that instruct the DSKA engine 210 tomonitor for and obtain session decryption information communicated innetwork traffic sessions associated with particular virtual applicationserver instance. For example, the extraction instructions may include asession identifier associated with the monitored application serverinstance 212.

As shown in FIG. 2, virtual tap instance 216 may comprise a virtualinstance of a software-based monitoring agent application that is usedto observe and generate copies of encrypted network traffic flow recordsand/or packets associated with a monitored session between a client (notshown) and monitored application server instance 212. In someembodiments, the records and/or packets are encrypted for communicationbetween the client and application server instance 212 using ECDHE, orsome other per-session, public and private cryptographic key encryptiontechnique. Virtual tap instance 216 is interposed in virtual machine 208so as to passively create encrypted copies of monitored record and/orpackets associated with a secure communication session between theclient and application server instance 212. The copied network trafficflow records and/or packets are relayed and/or forwarded by virtual tapinstance 216 to NTM agent 202. Notably, the copied network traffic flowrecords and/or packets received by NTM agent 202 retain their originalencryption. Further, virtual tap instance 216 may be deployed as avirtualized element in a cloud computing virtual environment, so as tobe embodied by a virtual machine or virtual computing cluster. In someembodiments, a virtual tap instance 216 may be deployed in tandem with avirtual application server instance (e.g., application server instance212) that is to be monitored, such that virtual tap instance 216 iscapable of observing and passively creating copies of monitored networktraffic flow records or packets associated with a secure communicationsession between a monitored client and application server instance 212.The copied monitored network traffic flow records and/or packets retaintheir original encryption and are relayed or forwarded to NTM agent 202via virtual network interface card 218 and secure connection 220.

After receiving the session decryption information extractioninstructions from either virtual tap instance 216 or NTM agent 202, DSKAengine 210 may attempt to obtain and record the requested sessiondecryption information using a plurality of techniques. Notably, themanner in which DSKA engine 210 obtains the requested session decryptioninformation may be based on its own local configuration or in accordancewith a protocol designation included in the session decryptioninformation extraction instructions itself. For example, the DSKA engine210 may be configured to observe network traffic flow communicationsbetween the monitored application server instance 212 and SSL serverinstance 214 in virtual machine 208.

SSL server instance 214 may be configured to create, distribute, andstore session-specific cryptographic key pairs that can be used toencrypt and decrypt SSL records and/or packets associated with amonitored SSL session. Monitored application server instance 212 isconfigured to communicate with SSL server instance 214 to obtainsecurity key information corresponding to one or more communicationsessions with a requesting client application and/or device.Specifically, SSL server instance 214 is configured to provide SSLservices to a monitored application server instance 212, which is beingmonitored by the monitoring system (i.e., NTM agent 202, DSKA engine210, and/or and virtual tap instance 216). For example, SSL serverinstance 214 can generate and store per-session private and public keyinformation on behalf of a monitored application hosted by applicationserver instance 212. Further, SSL server instance 214 may use database224 to store session decrypt information that identifies the session(e.g., a session identifier, session identifier tuple, etc.), includes apublic key value to be used by the application server instance 212 forestablishing a secure session with a client instance or device (notshown), and includes a private key value to be used by applicationserver instance 212 in establishing a secure session with the clientinstance or device.

In some embodiments, monitored application server instance 212 mayreceive a session request from a client (not shown) and be configured toestablish an SSL session to securely communicate data via records orpackets with the client. In such a scenario, SSL server instance 214 maybe configured to generate and make available a public and privatecryptographic key pair to monitored application server instance 212. Forexample, in instances where SSL server instance 214 and monitoredapplication server instance 212 are the same entity (e.g., the sameserver), then SSL server instance 214 may communicate the publiccryptographic key to the client and provide (e.g., “push”) sessiondecryption information including the cryptographic key pair to one ormore registered NTM agents, such as NTM agent 202.

In some embodiments, DSKA engine 210 may execute a hook function thataccesses and inspects the packets or records that are communicated inthe network traffic flow between application server instance 212 and SSLserver instance 214 (as described below). Although monitored applicationserver instance 212 and SSL server instance 214 are shown to reside onthe same virtual machine in FIG. 2, the two server instances may resideon separate virtual machines hosted by computing platform 204 withoutdeparting from the scope of the disclosed subject matter.

In other embodiments, DSKA engine 210 may be configured to directlyaccess and inspect session decryption information that is stored in keystore 222 of SSL server instance 214. Key store 222 may be used by SSLserver instance 214 may store all of the session decryption informationcorresponding to SSL sessions (with various application serverinstances) established by SSL server instance 214. Specifically, keystore 222 may contain entries that include session identification datathat identifies, or can be used to identify, a communications sessionbetween the monitored client and the monitored application server, aswell as the public and private cryptographic keys associated with thatsession.

In some embodiments, DSKA engine 210 may utilize a query function thatsends a request message to SSL server instance 214 and requests thecorresponding session decryption information stored in key store 222. Insome embodiments, DSKA engine 210 is able to execute a query function todirectly access and view the key store 222 residing in SSL serverinstance 214. For example, DSKA engine 210 provides a session identifierthat is included in the request message sent to key store 222 thatidentifies the session being monitored. In response to receiving such arequest message from DSKA engine 210, SSL server instance 214 mayforward the session decryption information corresponding to the providedsession identifier to DSKA engine 210. In other embodiments, DSKA engine210 may execute a hook function to directly access the key store 222 andextract the appropriate session decryption information per theextraction instructions (which contains the session identifier).

In some examples, DSKA engine 210 may be configured to monitor acommunication session 213 established between application serverinstance 212 and SSL server instance 214. In some embodiments,communications session 213 may be implemented via an applicationprogramming interface (API). Notably, DSKA engine 210 can be configuredby the received extraction instructions to inspect session 213 forcommunicated session decryption information. For instance, DSKA engine210 may utilize a hook function to intercept packets or records thatinclude a particular session identifier during transmission between theSSL server instance 214 and any application server instance (e.g.,application server instance 212). Session identifiers utilized by DSKAengine 210 may include one or more of a destination address, adestination port number, an origination address, an origination port,and the like. Other session identifiers utilized by DSKA engine 210 mayalso include SSL based information, such as a public key pair value. Inthe event that DSKA engine 210 detects a defined session identifier in apacket or record communicated in session 213, DSKA engine 210 may copythat packet or record. DSKA engine 210 may subsequently extract andstore the session decryption information contained in the copied packetor record in a database 224.

DSKA engine 210 is configured to create and maintain database 224, whichmay comprise any data structure that includes session decryptioninformation that is observed in the communication session 213 betweenapplication server instance 212 and SSL server instance 214. Database224 may also be used to store session decryption information extracteddirectly from key store 222. After successfully storing the sessiondecryption information acquired from the server instance(s) hosted invirtual machine 208, DSKA engine 210 may be configured to forward thesession decryption information to virtual tap instance 216. Foreexample, DSKA engine 210 may generate and forward a report containingthe session decryption information to virtual tap instance 216.Alternatively, database 224 may be accessed directly by virtual tapinstance 216, which subsequently extracts the session decryptioninformation.

After obtaining the session decryption information from the DSKA engine210, virtual tap instance 216 is configured to relay or forward thesession decryption information to NTM agent 202. In some embodiments,virtual tap instance 216 forwards the session decryption information toa virtual network interface card 218, which in turn directs the sessiondecryption information to NTM agent 202 via a secure connection 220. Forexample, DSKA engine 210 may be configured to automatically send thesession decryption information to NTM agent 202 at the time that thesession decryption is obtained by DSKA engine 210. NTM agent 202 isconfigured to store the session decryption information acquired fromDSKA engine 210 (via virtual tap instance 216) and to subsequently usethis session decryption information to decrypt copies of monitorednetwork traffic flow records (and/or packets) associated with thesession, wherein the record copies are provided by the virtual tapinstance 216 (or monitoring probes). In this manner, NTM agent 202 isconfigured to monitor, decrypt and inspect secure session traffic flowrecords in network environment 200, while avoiding the processingbottleneck(s) associated with prior active SSL monitoring/decryptionapproaches.

NTM agent 202 may subsequently inspect the network traffic flow recordsand/or packets decrypted with the session decryption information (i.e.,private key value) and perform NPB functions (e.g., filtering, sampling,de-duplication, and/or data masking) on the decrypted network trafficflow records and/or packets. Similar to the manner described above withrespect to FIG. 1, decrypted packets/records may be subsequentlyprocessed by one or more packet broker filtering rules and/or samplingrules provisioned in NTM agent 202. Namely, the rules are used by NTMagent 202 to determine which packets and/or records are to be forwardedto one or more out-of-band network tools (not shown in FIG. 2).

FIG. 3 is flowchart illustrating a process for monitoring encryptednetwork traffic flows in a virtual environment using dynamic session keyacquisition techniques according to an embodiment of the subject matterdescribed herein. In some embodiments, process 300, or portions thereof,may be performed by DSKA engine 108 and NTM agent 106 shown in FIG. 1and/or DSKA engine 210 and NTM agent 202 shown in FIG. 2. In someembodiments, process 300 may include an algorithm comprising steps 302,304, 306, and/or 308 that is stored in memory and executed by aprocessor (e.g., a CPU of computing platform 104 or 204).

In step 302, session decryption information extraction instructions thatconfigure the DSKA engine to obtain session decryption information forat least one communication session involving a virtual machine arereceived. In some embodiments, one or more monitoring taps or an NTMagent is configured to upload session decryption information extractioninstruction code to the DSKA engine.

In step 304, the session decryption information from the virtual machineis obtained in accordance with the session decryption informationextraction instructions. For example, the session decryption informationincludes cryptographic keys utilized by an application server instancein the virtual machine to establish the at least one communicationsession. In some embodiments, DSKA engine obtains session decryptioninformation directly from a key store associated with a SSL serverinstance executed by the virtual machine. In other embodiments, the DSKAengine monitors a communication session between a monitored applicationserver instance and the SSL server instance. Notably, the DSKA enginemay utilize a hook function that attempts to identify packets or recordscontaining a session identifier Indicated in the previously receivedsession decryption information extraction instructions.

In step 306, the session decryption information obtained from thevirtual machine is stored. In some examples, the DSKA engine isconfigured to store the session decryption information obtained eitherdirectly from the SSL server key store or from the monitoredcommunication session between the SSL server and the monitoredapplication server instance. Notably, the DSKA engine stores theacquired session decryption information in local database 224.

In step 308, the session decryption information is provided to a NTMagent. In some embodiments, the NTM agent utilizes the sessiondecryption information to decrypt copies of encrypted network trafficflows belonging to the at least one communication session involving thevirtual machine. In addition, the NTM agent utilizes the sessiondecryption information to decrypt copies of encrypted network trafficflows belonging to the at least one communication session involving thevirtual machine. For example, the NTM agent may be configured to sendthe decrypted network traffic flows to at least one packet analyzer orout of band monitoring tool. In some embodiments, the packet analyzer isa virtual entity residing completely within the virtual networkenvironment. In other embodiments, the package analyzer may be ahardware-based packet analyzer that is configured to receive unencryptednetwork traffic flows from the NTM agent.

It will be appreciated that process 300 is for illustrative purposes andthat different and/or additional actions may be used. It will also beappreciated that various actions described herein may occur in adifferent order or sequence.

It should be noted that each of the DSKA engine, the NTM agent, and/orfunctionality described herein may constitute a special purposecomputing device. Further, the DSKA engine, the NTM agent, and/orfunctionality described herein can improve the technological field ofmonitoring encrypted network traffic flows involving monitored devicesand applications by implementing a passive inspection mechanism. Forexample, an NTM agent may be directly provided with public and privatekeys associated with a particular monitored session. Notably, the NTMagent does not need to decrypt and re-encrypt network trafficcommunicated involving a monitored device/application. As such, thesession-aware NTM agent can inspect and perform NPB functions, such asfiltering, sampling, de-duplication and data masking at a much higherthroughput rate than a device that implements active SSL decryption.

It will be understood that various details of the subject matterdescribed herein may be changed without departing from the scope of thesubject matter described herein. Furthermore, the foregoing descriptionis for the purpose of illustration only, and not for the purpose oflimitation, as the subject matter described herein is defined by theclaims as set forth hereinafter.

What is claimed is:
 1. A method comprising: by a dynamic session keyacquisition (DSKA) engine residing in a virtual environment: receivingsession decryption information extraction instructions that configurethe DSKA engine to obtain session decryption information for at leastone communication session involving a virtual machine; obtaining thesession decryption information from a server instance hosted by thevirtual machine in accordance with the session decryption informationextraction instructions, wherein the session decryption informationincludes cryptographic keys utilized by an application server instancein the virtual machine to establish the at least one communicationsession; storing the session decryption information obtained from thevirtual machine; and providing the session decryption information to anetwork traffic monitoring (NTM) agent, wherein the NTM agent utilizesthe session decryption information to decrypt copies of encryptednetwork traffic flows belonging to the at least one communicationsession involving the virtual machine.
 2. The method of claim 1 whereinthe session decryption information extraction instructions are receivedby the DSKA engine from a virtual tap instance or the NTM agent.
 3. Themethod of claim 1 wherein obtaining the session decryption informationfrom the virtual machine includes acquiring the session decryptioninformation via a direct access to a key store in the server instancehosted by the virtual machine.
 4. The method of claim 3 wherein the DSKAengine utilizes a query function that sends a request message to theserver instance requesting the session decryption information stored inthe key store.
 5. The method of claim 1 wherein the NTM agent is avirtual instance hosted by a second virtual machine in the virtualenvironment.
 6. The method of claim 1 wherein the NTM agent isconfigured to use the session decryption information to decrypt copiesof encrypted network traffic flow records to produce decrypted networktraffic flow records.
 7. The method of claim 1 wherein the DSKA engineis configured to forward the session decryption information to the NTMagent via at least one virtual tap instance and a virtual networkinterface card.
 8. The method of claim 1 wherein the server instanceincludes a secure sockets layer (SSL) enabled server instance or atransport layer security (TLS) enabled server instance.
 9. A systemcomprising: at least one virtual tap instance residing in a virtualenvironment configured to capture encrypted network traffic flowsbelonging to at least one communication session involving an applicationserver instance hosted by a virtual machine, wherein the at least onevirtual tap instance is a virtual instance of a software-basedmonitoring agent application that executed by a hardware processor of acomputing platform supporting the virtual environment; and a dynamicsession key acquisition (DSKA) engine residing in the virtualenvironment configured to receive session decryption informationextraction instructions that configure the DSKA engine to obtain sessiondecryption information for at least one communication session involvinga virtual machine, to obtain the session decryption information from aserver instance hosted by the virtual machine in accordance with thesession decryption information extraction instructions, wherein thesession decryption information includes cryptographic keys utilized bythe application server instance to establish the at least onecommunication session, to store the session decryption informationobtained from the virtual machine, and to provide the session decryptioninformation to a network traffic monitoring (NTM) agent, wherein the NTMagent utilizes the session decryption information to decrypt copies ofencrypted network traffic flows belonging to the at least onecommunication session involving the virtual machine.
 10. The system ofclaim 9 wherein the session decryption information extractioninstructions are received by the DSKA engine from either a virtual tapinstance or the NTM agent.
 11. The system of claim 9 wherein the DSKAengine is configured to acquire the session decryption information via adirect access to a key store in the server instance hosted by thevirtual machine.
 12. The system of claim 11 wherein the DSKA engine isconfigured to utilize a query function that sends a request message tothe server instance requesting the session decryption information storedin the key store.
 13. The system of claim 9 wherein the NTM agent is avirtual instance hosted by a second virtual machine in the virtualenvironment.
 14. The system of claim 9 wherein the NTM agent isconfigured to use the session decryption information to decrypt copiesof encrypted network traffic flow records to produce decrypted networktraffic flow records.
 15. The system of claim 9 wherein the DSKA engineis configured to forward the session decryption information to the NTMagent via at least one virtual tap instance and a virtual networkinterface card.
 16. The system of claim 9 wherein the server instanceincludes a secure sockets layer (SSL) enabled server instance or atransport layer security (TLS) enabled server instance.
 17. Anon-transitory computer readable medium having stored thereon executableinstructions embodied in the computer readable medium that when executedby at least one processor of a computer cause the computer to performsteps comprising: by a dynamic session key acquisition (DSKA) engineresiding in a virtual environment: receiving session decryptioninformation extraction instructions that configure the DSKA engine toobtain session decryption information for at least one communicationsession involving a virtual machine; obtaining the session decryptioninformation from a server instance hosted by the virtual machine inaccordance with the session decryption information extractioninstructions, wherein the session decryption information includescryptographic keys utilized by an application server instance in thevirtual machine to establish the at least one communication session;storing the session decryption information obtained from the virtualmachine; and providing the session decryption information to a networktraffic monitoring (NTM) agent, wherein the NTM agent utilizes thesession decryption information to decrypt copies of encrypted networktraffic flows belonging to the at least one communication sessioninvolving the virtual machine.
 18. The non-transitory computer readablemedium of claim 17 wherein obtaining the session decryption informationfrom the virtual machine includes acquiring the session decryptioninformation via a direct access to a key store in the server instancehosted by the virtual machine.
 19. The non-transitory computer readablemedium of claim 18 wherein the DSKA engine utilizes a query functionthat sends a request message to the server instance requesting thesession decryption information stored in the key store.
 20. Thenon-transitory computer readable medium of claim 17 wherein the serverinstance includes a secure sockets layer (SSL) enabled server instanceor a transport layer security (TLS) enabled server instance.